[Security_sig] Update on CGL Security

Chris Wright chrisw at osdl.org
Thu Aug 5 08:58:53 PDT 2004

* Makan Pourzandi (Makan.Pourzandi at ericsson.com) wrote:
> Gé Weijers wrote:
> > Hi,
> > 
> > I'm assuming we're having a security SIG meeting tomorrow. If we don't 
> > or if you cannot attend I'd like to ask you for your opinion on the 
> > following:
> > 
> > I've studied ITU document "Security in Telecommunications and 
> > Information Technology" in some detail, and I've tentatively drawn the 
> > following conclusions:
> > 
> >    * telecommunications security is dictated by a host of ITU standards
> >    * studying a comprehensive subset of them is not feasible
> >    * the examples given in the ITU document do not have that much in
> >      common beyond basic mechanisms such as certificates, so a
> >      generically applicable security analysis is almost impossible.
> >    * we should therefor limit ourselves to the security of the
> >      underlying platform.
> I agree with you. However, we should take into account the 
> characteristics of CGL systems when defining the specs.   Even though, 
> the CG applications are very different, I believe that we should be able 
> to find some general common aspects like high availability for these 
> different applications. I agree that these are rather high level 
> requirements (and sometimes perhaps somehow vague), but if we don't take 
> them into account the NEPs/Linux distros risk not accepting them as 
> valid requirements. For example, we don't want to add a single point of 
> failure into the system, an example of this can be some sort of key 
> storage system that can not support any fail over mechanism.

We also need to make sure such requirements have a reality check.
Placing the bar too high is not helpful.  Well, OK, I do expect that
existing failover infrastructure could be enough for key storage.

> > One issue I have not resolved yet is whether the separation between 
> > control plane, management plane and end-user plane (see discussion of 
> > X.805 in ITU doc) is something we should include in our analysis or not.
> IMO, the security needs for different layers are sometimes completely
> different. For example, the security needs at management plane are
> definitely different from the needs at end-user plane. This should be
> reflected on the analysis, however, we don't want to have different sets 
> of requirements for each plane. What we could do is to explicitly 
> mention them in the document when needed. For example, we could mention 
> that "all communications at __management plane__ should be protected 
> against confidentiality and integrity".

I think it's very reasonable to have requirements that differ in each

Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net

More information about the security_sig mailing list